On Tue, 11 Jul 2023 18:09:26 GMT, Craig Andrews <[email protected]> wrote:
> When loading the default JVM trust store, if the JVM trust store contains an
> invalid certificate, the exception contains insufficient information to
> determine which certificate is invalid, making it very difficult to fix the
> problem.
>
> To reproduce the issue:
> 1. Modify the default JVM trust store to contain invalid information. A very
> easy way to do this on openjdk / red hat systems is to edit
> /etc/pki/ca-trust/extracted/java/cacerts and add garbage text to the file.
> 2. Run this code:
>
> TrustManagerFactory =
> TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
> // initializing the trust store with a null KeyStore will load the default
> JVM trust store
> tmf.init((KeyStore) null);
>
>
> This stack trace results:
>
> Caused by: java.security.KeyStoreException: problem accessing trust store
> at
> java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
> at
> java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
> ... 81 common frames omitted
> Caused by: java.io.IOException: toDerInputStream rejects tag type 97
> at
> java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2013)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
> at java.base/java.security.KeyStore.load(KeyStore.java:1473)
> at
> java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
> at
> java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
> at
> java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
> at
> java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
> ... 83 common frames omitted
>
>
> Throwing an exception with a more detailed error message facilitates
> debugging and ultimately fixing such problems.
Caused by: java.security.KeyStoreException: problem accessing trust store
at
java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:73)
at
java.base/javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:282)
... 73 common frames omitted
Caused by: java.security.KeyStoreException: Failed to load key store:
/usr/lib/jvm/java-17-openjdk-17.0.7.0.7-5.fc38.x86_64/lib/security/cacerts
at
java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.loadKeyStore(TrustStoreManager.java:390)
at
java.base/sun.security.ssl.TrustStoreManager$TrustAnchorManager.getTrustedCerts(TrustStoreManager.java:336)
at
java.base/sun.security.ssl.TrustStoreManager.getTrustedCerts(TrustStoreManager.java:57)
at
java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit(TrustManagerFactoryImpl.java:49)
... 79 common frames omitted
Caused by: java.io.IOException: toDerInputStream rejects tag type 97
at
java.base/sun.security.util.DerValue.toDerInputStream(DerValue.java:1155)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engine(PKCS12KeyStore.java:2013)
at
java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
at java.base/java.security.KeyStore.load(KeyStore.java:1473)
... 83 common frames omitted
The `KeyStoreException` inside `KeyStoreException` could be eliminated by
adding a `catch` clause at
https://github.com/openjdk/jdk/blob/257bc1745cf275d691db1801f8dd270b9ff1b324/src/java.base/share/classes/sun/security/ssl/TrustManagerFactoryImpl.java#L67
like this:
} catch (KeyStoreException ke) {
throw ke;
Please let me know if you'd like me to include that change.
Thanks!
-------------
PR Comment: https://git.openjdk.org/jdk/pull/14834#issuecomment-1635157558
